Directors and officers (D&O) cover could become increasingly important in today’s General Data Protection Regulation (GDPR) world, as the Commissioner’s office seeks to hold directors personally responsible for data issues, according to law firm BLM.
GDPR, which came into force last month, brings in significant penalties for firms that fail to protect consumers’ data. Sitting alongside it is the UK’s Data Protection Act (DPA) 2018, which also came into force in May and states that directors themselves can be liable for criminal acts under the GDPR.
“There is now a direct avenue – which frankly, was actually there before, but I don’t think many people picked up on this – which is now fed through into the DPA,” said Ross Baker, partner in BLM’s London office, at the Airmic annual conference this month.
On top of that, the Information Commissioner’s Office (ICO) is increasingly looking to hold individual directors responsible for wrongdoing.
“We know that Elizabeth Denham [the UK information commissioner] is very keen to pin personal responsibility on people,” said Baker.
Since being given the power to fine data controllers in 2010, the ICO has handed down penalties to companies in the hundreds of thousands – including a £400,000 fine to Carphone Warehouse at the beginning of the year for a data breach that involved the personal data of over three million customers and 1,000 employees.
But despite showing its teeth, the ICO hasn’t always been successful in recouping the fines it has handed down. One report suggests that between 2010 and 2018, the body had a 54% recovery rate for penalties issued.
In some cases, particularly those involving cold-calling and nuisance calls, companies have gone into liquidation before the cash could be recouped, says Baker.
“That’s obviously caused a bit of irritation there, so [the ICO] are really looking at – who is the primary mover?” he explained. “Who is the main director that’s the cause of this, who may then want to go and open another business doing the same thing two months later? Let’s go after them and their personal assets. I think that’s a key change here.”